Approaches to risk management that an internal auditor may recommend to management include the following:
- Acceptance. Risk acceptance means accepting the risk and doing nothing to reduce the possibility that an adverse event will happen and doing nothing to limit the consequences if an adverse event does occur. This approach is normally only acceptable if the risk is insignificant.
- Reduction. Risk reduction involves taking measures to reduce the probability that an adverse event will happen, or reducing the consequences of an adverse event. Measures to reduce risk may involve instituting appropriate controls to minimize the risks to which the entity is exposed. Most internal controls aredesigned as risk reduction measures.
- Avoidance. Risk avoidance means avoiding transactions or situations that would create an exposure to a risk. For companies, it is normally impossible to avoid risks entirely without withdrawing from a business operation entirely.
- Transfer. Risk transfer means transferring the risk to a third party, often in return for a payment. The most commonly-used example of risk transfer is probably the use of insurance. With insurance, risks are transferred to an insurance company in exchange for the payment of a premium.
